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Abstract 

The cycling operation endows the super summit set S x of any element x of a Garside 
group G with the structure of a directed graph T x . We establish that the subset U x 
of S x consisting of the circuits of T x can be used instead of S x for deciding conjugacy 
to x in G, yielding a faster and more practical solution to the conjugacy problem 
for Garside groups. Moreover, we present a probabilistic approach to the conjugacy 
search problem in Garside groups. The results are likely to have implications for 
the security of recently proposed cryptosystems based on the hardness of problems 
related to the conjugacy (search) problem in braid groups. 
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1 Introduction 

Given a group G, the conjugacy problem in G is to decide for given elements 
a,i 6 G, whether a and b are conjugate in G, that is, whether there exists 
an element c G G such that a c = b. The conjugacy search problem in G, on 
the other hand, is to find for given elements a and b which are known to be 
conjugate in G, an element c G G such that a c = b. 

Both problems are known to be solvable in Garside groups, that is, in particu- 
lar in braid groups [1,2,3,4,5]. However, all known algorithms involve comput- 
ing a particular invariant of the conjugacy class, the so-called super summit 
set, for either a or b and both the memory and the time complexity of these 
algorithms are proportional to the cardinality of this set. In the case of the 
braid group B n , the best proven bound for this cardinality is exponential in 
both the braid index n and the element length r and, while the existence 
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of polynomial bounds is conjectured, computations in practice are hard or 
infeasible even for moderate values of n and r. 

Recently, braid groups came under interest as possible sources for public key 
cryptosystems and the security of most of the proposed cryptosystems depends 
on the hardness of variations of the conjugacy (search) problem [6,7]. Hence 
an improved understanding of the conjugacy problems is highly desirable. 

The crucial point in computing the super summit set S x of an element x is 
the following "convexity" property: For any pair of elements u,v G S x there 
are elements uq, . . . ,Uk with uq = u and Uk = v, such that for % = 1, . . . , k, 
Ui is obtained from Ui-i by conjugation with a suitable element from a finite 
set D. This allows us to compute S x , starting with a single representative, as 
closure with respect to conjugation by elements of D. 

In this paper we establish that a subset of the super summit set, which in 
general is much smaller, can be used for deciding conjugacy in Garside groups. 
The set S x can be endowed with the structure of a directed graph and we will 
show that the union of the circuits of this graph has the same "convexity" 
property as described above, that is, can be computed in a similar way. The 
graph structure used for proving this result also yields a fast probabilistic 
algorithm for solving the conjugacy search problem. 

1.1 Garside Groups and Monoids 

We start with a brief review of some basic terminology and facts about Garside 
groups. The results can be found, for example, in [1,2,3,4,8,9,10]. Throughout 
this section, let M be a (left and right) cancellative monoid. 

Definition 1.1 We define partial orderings -< and >z on the elements of M as 
follows. For a, b G M we say a ^ b if there exists an element c G M such that 
ac = b and we say a >z b if there exists an element c G M such that a = cb. 

We call m a (left) 1cm of a and b if a ^ m, b ^ m and if for any x G M, a ^ x 
and b ■< x implies m <x. Similarly, we call d a (left) gcd of a and b if d ^ a, 
d ■< b and if for any x G M, x ■< a and x z< b implies x ■< d. 

Definition 1.2 x G M is called an atom if x ^ 1 and if x = ab for a, b G M 
implies a = lor6=l.Mis called atomic if M is generated by its atoms and 
if for every a G M there exists a bound N a such that a cannot be written as 
product of more than N a atoms. 

Definition 1.3 For 8 G M we define the sets D\ — {x G M : x ^ 8} and 
Dg = {x G M : 5 >z x}. The element 8 is called a Garside element of M if 
D s = Dg and if D\ is finite and generates M. 

The monoid M is called a Garside monoid if it is atomic, has a Garside element 
8 and if for all a, b G M a gcd and a 1cm of a and b exist. In this case, the 1cm 
and gcd of a and b are unique; we denote them by a V b and a A 6. We call the 
elements of D\ the simple elements of M. 
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Theorem 1.4 Let M be a Garside monoid with Garside elements and group 
of fractions G. 

(a) M embeds into G. 

(b) If a is an atom of M then a -< 5. 

(c) M is invariant under conjugation with 5. 

(d) For every x G G there are integers r and s such that 5 r z< x -< 5 s . 

(e) There is an integer k such that 5 k is central in G. 

Definition 1.5 Let M be a Garside monoid. Its group of fractions G is called 
a Garside group. We identify the elements of M with their images in G and call 
them the positive elements of G. Let r : x i— > x s = 5~ 1 x5 be the automorphism 
of G induced by conjugation with 5. 

The partial orderings ^ and y, and thus the notions of left gcd and left 1cm, 
can be extended to G as follows. For a,b G G, we say a ^ b if there exists an 
element c G M such that ac = b and we say a ^ 6 if there exists an element 
c G M such that a = cb. Clearly ^ and >: are invariant under r. 

Example 1.6 Consider the monoid B+ defined by the presentation 

OiOj = OjOi (1 < % < j + 1 < n) \ , , 

(TiCTi+iO-i = <7 i+ i(7j(7j + i (1 < i < n - 2) / ' 

Its quotient group is the braid group B n on n strings [11]. is a Garside 
monoid with Garside element (a± • ■ ■ a n -i)(ai ■ ■ ■ o" n _ 2 ) • • ■ (ctlo^Vi- The posi- 
tive elements of B n are simply the words in oi, . . . , cr n _ 1 not involving inverses 
of generators. There are n\ simple elements, corresponding to those braids 
in which any two strings cross at most once. A simple element is described 
uniquely by the permutation it induces on the strings and every permutation 
of the n strings corresponds to a simple element. 

Example 1.7 The monoid BKL+ generated by {a t:S : n > t > s > 1} 
subject to the relations 

a t , s ar, q = a r , q at,s if (* - r)(t - q)(s - r)(s - q) > ^ 

&t,s a s,r — Q>t,r a t,s = a s,r a t,r H t > S > r 

also has the braid group B n as its quotient group [3]. In terms of presen- 
tation (1), a tjS = (o~t-i ■ ■ ■ &s+i)o's(o~s+i ' ' ' °~t-i) is a possible choice for the 
generators a tjS . 

BKL+ is a Garside monoid with Garside element a nin _ia n _i in _2 • • -d2,i- The 
number of simple elements of BKL+ is (2n)\/(n\(n + 1)!). Again, a simple 
element is described uniquely by the permutation it induces on the strings, 
but not every permutation of the n strings corresponds to a simple element. 

Notation 1.8 From now on let M be a Garside monoid with Garside group G, 
Garside element S and set of simple elements D. 
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1.2 Normal Forms 



Definition 1.9 By Theorem 1.4 there exist for every x G G integers r > 
and k such that 5 k ^ x -< 5 k+r . Choose k maximal and r minimal subject 
to this condition. We call k the infimum, denoted by inf(x), r the canonical 
length, denoted len(x), and k + r the supremum, denoted by sup(x), of x. 

There are uniquely defined elements A 1: . . . , A r G D such that x = 5 k A 1 ■ ■ ■ A r 
and A^ x 5 A A^\ = 1 for i — 1, . . . ,r — 1. We call this representation of a; the 
normal form of x. Obviously, = 5 A (S k Ai ■ ■ ■ Ai^\)~ l x for % = 1, . . . ,r. 
Note that, as A~ l 8 ^ <5, we have A i+1 ■ ■ ■ A r A A" 1 ^ = A m • • • A r A 5 A A" 1 ^ = 
A i+1 A Ar^ = 1. 

1.3 Super Summit Sets 

The notion of super summit sets was developed in [1] and [2] in the context 
of braid groups and extended to Garside groups in [4]. It is crucial for testing 
conjugacy in Garside groups. More details and proofs of the results quoted in 
this section can be found in the references above. 

Definition 1.10 Let x e G and denote by x G the set of conjugates of x. Let 
inf s (x) = max{inf(y) : y G x G } and sup s (x) = min{sup(y) : y G x G }. 

The set S x = {y G x G : inf(y) = inf s (x), sup(y) = sup s (x)} is called the super 
summit set of x. We define len s (x) = sup s (x) — inf s (x). 

Definition 1.11 Let 5 k Ai ■ ■ ■ A r G G be the normal form of x G G. If r = 0, 

let c(x) = d(x) = x, otherwise let c(x) = x T ^ Al ^ and d(x) = x Ar . We call 
c(a;) and d(x) the cycling of x and the decycling of x, respectively. 

Theorem 1.12 ([2], [4], [12]) Let x G G. 

(a) S x is finite and not empty. 

(b) A representative of S x can be obtained effectively by applying a finite 
sequence of cycling and decycling operations to x. 

(c) IfyeS x then c(y) G S x and d(y) G S x . 

(d) For all yeG, r(c(y)) = c(r(y)) and r(d(y)) = d(r(y)). 

The following result is crucial for computing the super summit set of an ele- 
ment. 

Theorem 1.13 (El-Rifai, Morton [2]; Picantin [4]) Let x G G. 

(a) For any y,z G S x there exists u G M such that y u = z. 

(b) IfyeS x and u G M such that y u G S x then y 5Au G S x . 

(c) For any y,z G S x there exist elements y Q ,...,y t G S x and elements 
Ci,...,CteD such that y = y, y t = z and y c ^_ x = y { for i = 1, . . . ,t. 

Hence S x can be computed as follows. First obtain x G S x according to The- 
orem 1.12 (b) and set S = {x}. Now keep conjugating elements of S by sim- 
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pie elements and add those conjugates with infimum inf s (a;) and supremum 
sup s (x) to S. When no new elements of S x can be found using this method, 
that is, S = {y c : y G S, c G D, y c G S x }, then S = S x . 

Franco and Gonzalez-Meneses improved this algorithm as follows. 

Theorem 1.14 (Franco, Gonzalez-Meneses [5]) Let x G G, y G S x and 

u,v ED. Ify u G S x and y v G S x then y uAv G S x . 

Hence, for an element y G S in the algorithm outlined above, only the con- 
jugates by those elements which are minimal with respect to ^ in the set 
{ceD:c^l, y c G S x } have to be considered. Franco and Gonzalez-Meneses 
remark in [5] that the number of such ^-minimal elements is bounded by the 
number of atoms in M and give an algorithm for computing them. 

1.4 Testing Conjugacy of Elements 

Since S x by definition only depends on the conjugacy class of x, conjugacy of 
elements x and y of G can be tested as follows [2,4,5]. 

Compute representatives x of S x and y of S y according to Theorem 1.12 (b). If 
inf(x) 7^ inf(y) or sup (x) ^ sup(y) then x and y are not conjugate. Otherwise, 
start computing S x as described in Section 1.3. The elements x and y are 
conjugate if and only if y G S x . Note that if x and y are conjugate, an element 
conjugating x to y can be found by keeping track of the conjugations during 
the computations of x, y and S x . 

Remark 1.15 It is obvious that in the worst case, both the space and the 
time requirements of the algorithm outlined above are proportional to the 
cardinality of S x . 

In the cases of the monoids B£ and BKL+, the only known upper bounds for 
the size of S x are exponential in n and len(x). It is conjectured however, that 
for fixed n, at least for B£ a polynomial bound in len(x) exists [8]. 

Nevertheless, the rapidly growing super summit sets make computations in 
general infeasible for values larger than n ~ 10 due to lack of memory. 

Note also that distributing the computation of S x is not practical, as the set 
S defined in Section 1.3 is constantly accessed and modified by all nodes. 

1.5 Ultra Summit Sets 

Definition 1.16 By Theorem 1.12, the super summit set S x of x G G can be 
made into a finite directed graph T x with set of vertices S x and set of edges 
{(y, c(y)) : y G S x }. Obviously, r induces an automorphism of T x . 

Let U x , the ultra summit set of x, be the subset of vertices which are contained 
in a circuit of r^, that is, U x — {y G S x : c k {y) = y for some k > 0}. 

For y G S x , define the trajectory T y = {c k (y) : k > 0}. A representative of U x 
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can be obtained by computing T y for an arbitrary y G S x . For any z G T y , 
computing s z G M satisfying y Sz = z is straightforward. 

The following main result of this paper will be proved in Section 2. 

Theorem 1.17 Let x G G, y G U x and let u,v G M such that y u G U x and 
y v EU X . Theny uAv G U x . 

Corollary 1.18 Letx G G andy, z G U x . There exist elements y , . . . ,y t G U x 

and elements Ci,...,c t G D such that y = y, y t = z and y^ 1 = yi for 
i = l,...,t. 

Proof: We may assume y ^ z. First note that y G U x implies y 5 — r(y) G U x 
as t is an automorphism of T x . By Theorem 1.13 (a), there exists u G M 
with y u = z. Let s = sup (it). Choose c\ = 5 A u G D and let y\ = y Cl and 
u = c{ l u G M. By Theorem 1.17, y\ G U x . Moreover, y\ = z and sup(-u) < s. 
Iteration yields yi, . . . , y t G U x and Ci, . . . , c t G D as desired. □ 

Definition 1.19 Let x E G and y G 

(a) For any s G D, Theorem 1.17 implies the existence of a unique ^-minimal 
element c s = c s (y) satisfying s ^ c s ^ 5 and y Cs G C4. 

(b) Define = {u G -D \ {1} : y u G C4} and let C y be the set of elements of 
D y which are ^-minimal in D y . Clearly C y C {c a (y) : a G A}, where A 
is the set of atoms of M. In particular, \C y \ < \A\. 

Corollary 1.20 Let x G G and U C If {y c : y E U, c G C^} C [/ i/ien 

Proof: This follows directly from Corollary 1.18. □ 
The following result will also be proved in Section 2. 

Theorem 1.21 Let x G G, y G U x and z G T y . For any s G C z there exists 
t G C y such that z s G T y t . 

Algorithm 1.22 Given an element x of a Garside group, the following algo- 
rithm computes the ultra summit set U x of x. 

Compute x G U x , set U — T~ and U = 0. 
if x = 5 k for some k then 

return {8 k } 
end if 

while U 7^ U do 

Let y 1 ,...,y m eU such that [/ = [/ UT !(1 U...UT !)m . Set C/ = C^- 

for j/ G {yi, . . . ,y m } do 

Compute and set U — U U \J c< =c y ^y c - [*] 

end for 
end while 
return C/ 

The computation of the set C y in step [*] will be discussed in Section 4. 
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Two elements x and y of G are conjugate in G if and only if U x = U y , or 
indeed, if and only if U x D U y ^ 0. Hence, conjugacy of elements x and y of 
G can be tested, and a conjugating element can be computed, as outlined in 
Section 1.4, using ultra summit sets instead of super summit sets. 



2 Proof of Theorems 1.17 and 1.21 

Throughout this section let x G G be an element of its super summit set with 
non-zero canonical length, that is, let 5 k Ai ■ ■ ■ A r be the normal form of x, 
with r > 0, k — inf(x) = inf s (x) and r + k = sup(x) = sup s (x). 

We need to understand how the normal forms of conjugates of x are related 
to the normal form of x. 

Proposition 2.1 Let x be as above and let u G M such that x u G S x . There 
are elements uq, . . . , u r in M such that u = T k {u), u r — u and the normal 
form of x u is 5 k (iiQ 1 AiUi) ■ ■ ■ (u~\A r u r ) . Here, the factors in brackets are 
understood to be the simple elements occurring in the normal form of x u . 
Explicitly, Ui = A i+1 ■ ■ ■ A r u A 5T{A~ 1 u i ^ 1 ). 

Proof: Let u = r k {u) and u r = u. Define W\ = 5~ k x u = Uq 1 A 1 ■ ■ ■ A r u r and 
w i+ i = (wi A for i — 1, . . . , r — 1. By the observation in Definition 1.9, 

Wi has infimum and canonical length r + 1 — % and the normal form of x u 
is 5 k (wi A 5) ■ ■ ■ (w r A 5). Assume Ui-i G M has been found such that Wi = 
u~} ± Ai ■ ■ • A r u r . Then, Ai ^ 5 ^ Ui_i5 implies u^} 1 A i ^ wi A 5, that is, there 
is an element a, e M such that WiA5 = u~\A(Ui. Now Wi + i = (wi A 5)~ 1 Wi = 
u~ l A i+ i • ■ ■ A r u r and Ui = A~ 1 u i _i(w i A 5) = A i+1 ■ ■ ■ A r u A 5r(A~ 1 -u i _ 1 ) as 
claimed. □ 

Corollary 2.2 Let x be as above and let u,v G M such that x u G S x and 
x v G S x . Let uo,...,u r and vo,...,v r be the positive elements obtained by 
applying Proposition 2.1 to (x,u) and (x,v), respectively. 

(a) If u = 5 then Ui = 5 for i — 0, . . . , r. 

(b) If u -< v then Ui -< Vi for i = 0, . . . , r. More specifically, if v = uw with 
w G M and wo,...,w r are the positive elements obtained by applying 
Proposition 2.1 to (x u , w) then Vi = UiWi for i = 0, . . . , r. 

(c) If sup (u) = b then sup(-Uj) < b for i = 0,...,r. In particular, if u is 
simple then Ui is simple for i — 0, . . . , r. 

(d) If u A v = 1 then Ui A Vi — 1 for i — 0, . . . , r. 

(e) Let t = u A v and let t ,...,t r be the positive elements obtained by 
applying Proposition 2.1 to (x, i). Then t; t = Ui A Vi for i — 0, . . . , r. 

Proof: (a) By Proposition 2.1, ui = 5r(A i+1 ■ ■ ■ A r A A^u^i). As u = S 
and Ai+i • ■ • A r A A^5 = 1 by Definition 1.9, Ui = 5 follows by induction, 
(b) v = u Wq is obvious. Assume t>j_i = Ui-iWi-i. By Proposition 2.1, 
Wi = (uj 1 Ai+iUi+i) ■ ■ ■ (u~liA r u r )w A 5t ((u^iAiUi^Wi-ij , whence UiWi = 
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A i+ i ■ ■ ■ A r v A 5r(A i 1 v i -i) = Vi, again using Proposition 2.1. Hence the claim 
follows by induction. 

(c) Follows from parts (a) and (b), as sup(w) < b if and only if u ^ 5 6 . 

(d) -uo A v o = 1 is obvious. Assume Ui-\ A i>j_i = 1. By Proposition 2.1, 
Ui AVi = A i+1 ■ • • A r (u A v) A A~ 1 5r(wj_i A ^_i) = • • • A- A A^ 1 ^ = 1, 
where in the last step Definition 1.9 was used. Hence the claim follows by 
induction. 

(e) Note that x t G S x by Theorems 1.13 (b) and 1.14, that is, Proposition 2.1 
can be applied to (x, t). The claim then follows from parts (b) and (d), writing 
u — tu and v — tv with u A v — 1. □ 

Lemma 2.3 Let x be as above, u G M such that x u G S x . Let uo,...,u r 
be the positive elements obtained by applying Proposition 2.1 to (x,u). Let 

<fx(u) = T~ k (ui). 

(a) tp x (u) G M satisfies c(x u ) = c(x)^ u l 

(b) sup(ip x (u)) < sup(-u). In particular, if u is simple then (p x (u) is simple. 

(c) The conjugating element along any path in the diagram 

r- k (u- 1 A 1 u 1 ) 

x u c ^ c (a; u ) 

U <Px(u) 



only depends on the starting point and the end point of the path. 

Proof: (a) follows from c(a;) T ~ fc ( Ml ) = x T '^ AlU ^ = (x u ) T ~ k( - u o = c(x u ). 
The conjugating element along the circuit x — > x u — > c(x u ) — > c(x) — > x is 
u ■ T~ k {uQ 1 AiUi) • ip x (u)~ l • r~ k (A 1 )~ 1 = 1, proving (c). Part (b) follows from 
Corollary 2.2 (c). □ 

Definition 2.4 In the situation of Lemma 2.3, we call (p x (u) the transport of 
u along x — > c(x). If x is obvious from the context, we define = u and 
u (<+i) = ^ ci(ie) (uW) for i > 0. 

Lemma 2.5 Lei x &e as above and let u,v G M such that x u = x v G 5^. // 

fx( u ) — ¥x{ v ) then u = v. 

Proof: Let u ,...,u r and t> ,...,f r be the positive elements obtained by 
applying Proposition 2.1 to (x,u) and (x,v), respectively. As x u = x v , we 
have (uq 1 A 1 u 1 ) = 5 A 5~ k x u = 5 A 5~ k x v = (v^Aiv i). The claim then follows 
from Lemma 2.3 (c). □ 

Lemma 2.6 Let x be as above, letu G M such thatx u G S x and letc N (x) = x 
and c N (x u ) = x u for some integer N > 0. There is an integer m > such 
that 

u {mN) = 

where we use the notation from Definition 2.4- 

Proof: By Lemma 2.3 (b), u {iN) G M and sup(u^ N ') < sup(-u) for every 
integer i > 0. Since the number of such elements is at most \D\ sup ( u \ in 
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particular finite, there must exist integers i 2 > i\ > such that u^ lN ^ = u^ 2 ^; 
let 12 be minimal subject to this condition. Assume i\ > 0. Then we can for 
I — 1, . . . , N conclude u^ lN ~ 1 ^ = u^ 2N ~ 1 ^ from 



Vc( JV -0(x) 



( u (*i"-0) 



(iiJV-(I-l)) 



_ „(i 2 JV-(i-l)) _ ,„ (..{i 2 N-l)\ _ ln f~,(i2N-l)\ 

using Lemma 2.5. In particular, u^ n ~^ N ^ = u^ l2 ~^ N \ contradicting the min- 
imality of i 2 . Hence, i\ — and u^ 2 ^ = = u as claimed. □ 

Theorem 2.7 Let x fre as above, u,v G M snc/i i/ioi w A t> = 1. If x u £ U x 
and x v G C/ x £/ien x e U x . 

Proof: First note that we may assume that c(x) G U x , since if x is a coun- 
terexample with c(x) U x , consider x = c(x) G S x , u = <p x (u) and v = (p x (v). 
Clearly, x a = c(x u ) G U x and X s = c(x v ) G C/ x . Moreover, u A v = 1 by 
Corollary 2.2 (d). Repeating this process finitely many times, we arrive at a 
counterexample x with c(x) G C/ x . 

Choose iV > such that c N (x u ) = x u , c N (x v ) = x v , and c N+1 (x) = c(x). We 
use the notation from Definition 2.4. According to Lemma 2.6, we can further 
assume that u^ N+1 ^ = and v( N+r > = replacing iV by a suitable mul- 
tiple if necessary. Now consider the conjugations by the conjugating elements 
indicated in the following diagram. 



x «_c^c(x M ) -c 

u u (l) 
a 

x — c^c(x) — C- 

„(i) 

x v -c v +c(x v )-c- 



-c N (x u ) =x 



— c^-c(x M ) 



,(JV+1) 



c^c JV (x) c ^c N+ \x) = c( 



X 



V (N) 



■c N (x v ) 



V (N+1) 



X 



0v 

-c^c(x v ) 



Obviously, a u = r k {5 A 5 k x u ) = (3 U and a v = r k (5 A 5 k x v ) = f3 v and by 
Corollary 2.2 (d), we have A for % — 1, . . . , N. Hence, 

a^ 1 = a~ 1 (u A v ) = a~ l u A a _1 v = u^a^ 1 A i^a" 1 

=u^p- 1 a ^ JV+1 )/3; 1 = a /rV^ = /r 1 



where we used Lemma 2.3 (c) four times. We conclude x G U x from 



X 



= c(x) a " = c(x)^ 1 = (c N+ \x)j = c N (x) . □ 
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Theorems 1.17 and 1.21 now follow easily. 

Theorem 1.17 Let x G G, y G U x and let u,v G M such that y u G U x and 
y v eU x . Theny uAv G U x . 

Proof: If inf s (x) = sup s (a;) = k then U x — S x — {5 k } and the claim follows 
from Theorems 1.13 (b) and 1.14. Hence assume sup s (:r) > inf s (x). 

Let t — u A v. Then u — tu, v — tv with u A v — 1. By Theorems 1.13 (b) and 
1.14, y* G S x . As (y l ) a = y u G U x and = y v G C4, Theorem 2.7 implies 

y'et/.. □ 

Theorem 1.21 Let x <E G, y E U x and z G T y . For any s G C z there exists 
t G C y such that z s G T y t . 

Proof: Consider the restriction <p = f y \ DyU{1} '■ D y U {1} — > D c ^ U {1} of 
V?^ to D y U {1}. By Lemma 2.6, </? is bijective and, using Corollary 2.2 (b), 
ip(u) ^ ip(y) if and only if u -< v holds for all u,v G D y U {1}. We hence obtain 
C c ( y ) = {v 9 s( M ) : M £ Cy} from which the claim follows by induction. □ 

3 A Probabilistic Approach to the Conjugacy Search Problem 

Given elements x,y G G which are conjugate in G, we can use the structure 
of the graph T x for computing an element s G G satisfying x s = y without 
having to compute the entire ultra summit set U x . 

Applying cycling and decycling operations to x and y, respectively, we can 
obtain x,y G U x = U y as well as s x , s y G G satisfying x Sx = x and y Sy = y. 
For z G T X) that is, z = c k (x) for some k, let s(z) satisfy x s ^ = z. 

Algorithm 3.1 Given a Garside group G and elements x,y G G which are 
conjugate in G, the following Las Vegas algorithm computes an element s G G 
such that x s = y. 

Compute x, s x , T x and {s(z) : z G T x } as above. 
Compute y and s y as above. Set z — y and s = s y . 
loop 

if z G T x then 

return s x ■ s(z) ■ s^ 1 
end if 

Choose a random atom a of M. Compute c a = c a (z). [*] 
Set z = z Ca , s = s ■ c a . 
end loop 

The computation of c a in step [*] (recall Definition 1.19) will be discussed in 
Section 4. 

Remark 3.2 The expected number of passes through the loop in Algorithm 
3.1 is the number of circuits of the graph T x . This loop can easily be paral- 
lelised, since no communication between nodes is necessary. 
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4 Computing Minimal Elements 



Throughout this section let x E G be an element of its ultra summit set with 
normal form 5 k A 1 ---A r , where r > 0, and let iV be the minimal positive 
integer satisfying c N (x) = x. 

In this section we show how the elements c s = c s (x) (s E D) and the set C x 
introduced in Definition 1.19 can be computed efficiently. 

For any s G D, Theorem 1.14 implies the existence of a unique ^-minimal 
element p s = p s {x) satisfying s -< p s ■< 5 and x Ps G S x . An algorithm for 
computing p s is given in [5]. 

Note that p s ^ c s since U x C S x . Moreover, if s = 1 then c s — p s — 1. 

Definition 4.1 Let u G D such that x u G S x . Using the notation from Def- 
inition 2.4, we consider the elements u^ N ^ (i = 0, 1, . . .). By Lemma 2.3 (b) 
and since D is finite, there are integers i 2 > %\ > such that u^ 1 ^ = vM 2N \ 
Let i\ and i 2 be minimal subject to this condition and define l x {u) = i 2 — i\ 
and F x (u) = {u^ : i x < i < i 2 }. 

Note that 1 G F x (u) if and only if F x (u) = {1}. Moreover, if x u G U x then 
ii = by Lemma 2.6, that is, u G F x (u). 

Lemma 4.2 Let u G D such that x u G S x , let v G F x (u) and let I = l x (u). 
Then, v^ llN ^ = v for all integers i > 0. Moreover, x v G U x . 

Proof: As 

V (IN) = 

the first claim follows by induction. For the second 
claim note that c lN (x v ) = x^ vilN) ^ = x v , whence x v G U x . □ 

Lemma 4.3 Let s G D. If c 8 -< for some i > then = c s . 

Proof: Let c^ N ^ = c s 7 with 7 G M. By induction, c s 7 ^ cC/ 3 ^) for all 
/3 > 1 from Corollary 2.2 (b). Using Lemma 4.2, this in particular implies 

c s r< c s 7 ^ c ^ (Cs)iJV) = c s , that is, 7 = 1. □ 

Lemma 4.4 Let p,s E D satisfy p ^ c s and x p G S x . Let F = F x (p). 

(a) If there exists v G F such that s ^ v then c s — v. 

(b) If F 7^ {1} and s^t) /or all v E F then c s is not ^.-minimal in D x . 

Proof: First note that by Corollary 2.2 (b), pW -< for all 2 > 0. 

(a) As s -< v and G U x by Lemma 4.2, minimality of c s implies c s ^ v. Now 
■y = p( jAr ) for some i, whence c s ^ v = p( lN ) ^ c^ N \ Lemma 4.3 yields v — c s . 

(b) Let i be a multiple of l x (c s ) sufficiently large so that v = p^ N ^ G F. Since 
1 ^ F, we have v E D x by Lemma 4.2 and Corollary 2.2 (c). Moreover, again 
using Lemma 4.2, v = p^ N "> ^ c^ = c s and v 7^ c s , since s ^ v. □ 

Lemma 4.5 Let p, s G P> \ {1} sncn £/ia£ x p E S x . If there exists an integer 
i > such that p« = 1 toen p A r~ fc (Ai) 7^ 1. 

If moreover p ^ c s and c s 2< r~ fc (Ai) taen c s is not ^-minimal in D x . 
Proof: If p^ = 1 then Proposition 2.1 implies r k (p) ^ A 1 . Thus we assume 
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^ 1 and % > 1. Let 5 fc Pi ■ ■ ■ B r be the normal form of c(x) = x T k ( Al \ 
According to Proposition 2.1, (r~ k (Ai))^ = (p x (r^ k (A 1 )) = r^ k (B 1 ). By 
induction (pW)^ -1 ) = pW = 1 yields 

(p A r- fc (A0) (1) = p« A (r- fc (Ax)) (1) = p« A r^(^i) 7^ 1 

using Corollary 2.2 (e). This completes the proof of the first claim. 

Let c = c s A r~ k (A 1 ) ^ c s . If c s 2< r~ fe (Ai) then c ^ c s . Now p d c s implies 

c ^ 1 and c G D x by Theorem 1.17, since c(x) = x T ~ k ^ E U x . □ 

Definition 4.6 Let s E D and let w G C/ x . By Theorems 1.13 (b) and 1.14 and 
Corollary 2.2 (a) and (e), there exists a unique ^-minimal element 7T y (s) G D 
satisfying y n *( s ) g S x and s d (p y (n y (s)). We call 7r y (s) the pullback of s 
along y — > c(y). If y is obvious from the context, we define S(o) = s and 
— f° r ^ > 0, where < a = — i (mod iV). 

Proposition 4.7 Le£ s G D and /et <5 fc Pi ■ ■ ■ B r be the normal form ofy G £4. 
De/me 6 = 1 V r^-B^stf- 1 , 6 X = r fc (s), b { = 1 V P^i-i for i = 2, . . . ,r and 
b = b \f b r . Then b G D and p b = n y (s). 

Proof: Firstly, r(b ) = r" fc (Sf M)" 1 • (r- fc (Sf M) V s) G £>. Moreover, bi E D 
and 6j = P^ 1 • (B, V &j_i) G -D for i = 2, . . . , r by induction. Hence b E D. 

Let u E D such that w u G and s -< ip y (u). Using the notation from 
Proposition 2.1 we have T k (s) d u± d B^UoS = Pf 1 5T k+1 (u), that is, 
r (Pi)s5 _1 2< u, whence bo d w, as u E M . Moreover, Ui-i -< BiUi, that is, 
B~ x Ui-\ -< Ui for i — 2, . . . , r. As b\ — r k (s) d u\ and Ui E M for « = 2, . . . , r, 
we obtain fej ^ -Uj for i = 1, ... ,r by induction; in particular, b r d u r = u. 
Hence b <u and pb ■< u by minimality of p&, proving p b -< n y (s). 

Conversely, let p = p b and use again the notation from Proposition 2.1. Since 
r~ fe (Pi)s5 _1 ^ 6 2< p, we have r fe (s) ^ B^ 1 T k {p)8. On the other hand, 
r fe (s) = bi z< P 2 & 2 z< • • • d -B 2 ■ • • B r 6 r z< P 2 • • • B r p. Together these imply 
r k (s) di PfV(p)5 A B 2 ---B r p = p u that is, s d ip y (p). As ^ G this 
proves 7T y (s) dp. □ 

Proposition 4.8 Let s E D and consider for i = 0, 1, . . . the elements S(jjv) 
obtained by applying Definition 4-6 for y = c 7V_1 (a;). As D is finite, there are 
integers i 2 > i\ > such that s^jv) = S(i 2 at)- Choose minimal values for i± 
and 12, let I — i 2 — i\ and choose an integer j such that jl > i\. Finally, let 

V = Px(s) = S(ji N ). 

Then, p z< c s and there exists v E F x {p) with s z< v. 

Proof: Let (3 > j be a multiple of l x (c s ) large enough such that p^ lN ^ e F x (p). 
By Definition 4.6 and Corollary 2.2 (b), p = suim = smim is the unique 
^-minimal element satisfying x p E S x and s d p^ lN \ Since x Cs E U x C S x 
and s -< c s = c^f lN \ we obtain p d c s . □ 
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Algorithm 4.9 Given s G D and a boolean value f indicating whether el- 
ements which are known not to be ^-minimal in D x should be discarded, 
the following algorithm returns c s or identifies it as not ^-minimal in D x . 

Compute p s as described in [5] and compute F x {p s ). 
if 3v G F x (p s ) such that s ^ v then 

return v 
end if 

if f and F x (p s ) ^ {1} then 

return not minimal 
end if 

Compute p x (s) and F x (p x (s)). [*] 
Choose v G F x (p x (s)) such that s ^ v. 
return v 

In the case that f is true, the algorithm can be aborted returning not minimal 
in step [*] i/c s at any point found to be not ^-minimal in D x by Lemma 4-5. 

Remark 4.10 A superset of C x whose cardinality is bounded by the number 
of atoms of M can be computed using Algorithm 4.9 with f = true, by letting 
s range over all atoms of M. Obvious short-cuts, similar to the ones described 
in [5], can be used to increase the efficiency of this process. 



5 Practical Comparisons 

In this section, we present empirical results for braid groups B n given by the 
presentation (1) from Section 1.1. 

For several values of n and r, we consider a set of elements x G B n with 
len s (a;) = r, chosen at random, and compute for each such x its super summit 
set S x and its ultra summit set U x . Let ts and tu be the times spent on 
computing S x and U x , respectively, and let njj be the number of trajectories 
under cycling of which U x consists. We compare the average and maximal 
values of \S X \, \U X \, ts, tu and %. (See Tables 1 and 2.) 

Random elements for these tests were obtained as follows. We choose inde- 
pendent random simple elements A±, Ai, . . . until len(Ai • • • A m ) = r, choose 
a random integer k G {0, 1} and compute x = 5 k ■ A\ ■ ■ ■ A m . We repeat this 
process until x satisfies len s (a;) = r. (See Remark 5.1.) Note that 5 2 is central 
in B n , whence there is a natural isomorphism of the graphs r x and T S 2m x for 
arbitrary m. Our choice of k thus is no restriction. 

In a second series of tests we consider for several values of n and r a set 
of elements x = 5 k ■ A\ ■ ■ ■ A r G B n obtained by choosing a random integer 
k G {0, 1} and independent random simple elements A\, . . . , A r . We compare 
the average values of len(x) and len s (a;), as well as the percentages es and eu 
of elements x satisfying x G S x and x G U x , respectively. (See Table 3.) 
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Table 1 

Average / maximal values for \U X \, \S X \, tu, ts and nu (see text); times are given 
in ms, unless stated otherwise. Where no values of \S X \ and ts are given, computing 
super summit sets exceeded the available memory of 512MB. 



n 


3 


r 


2 


5 


10 


20 


100 


1000 


u x \ 

S x \ 
tu 
ts 
n v 

n 


3.1 / 4 
3.1 / 4 
0.1 / 10 
0.1 / 9 

19/9 
L.Z / Z 


9.8 / 10 
9.8 / 10 
0.2 / 10 

0. 3 / 10 

1^/9 

1. D / Z 


20 / 20 
20 / 20 
0.4 / 11 
1.0 / 11 

1^/9 
1.0 / Z 

4 


40 / 40 
40 / 40 
1.1 / 11 
3.4 / 11 

1^/9 

L.O j Z 


200 / 200 
200 / 200 
22 / 31 
79 / 90 

1/1/9 
1.4/ Z 


2000 / 2000 
2000 / 2000 
4.1s / 5.4s 
15 s / 19 s 

1 R / 9 
l.D / Z 


r 


2 


5 


10 


20 


100 


1000 


u x \ 

S x | 

tu 
ts 
n v 

n 


5.6 / 10 
11 / 24 
0.2 / 11 
0.4 / 11 

1.0 / O 


12 / 50 
47 / 128 
0.5 / 11 
2.6 / 11 
i*7 /in 

1.1 / lu 


20 / 40 
100 / 464 
0.7 / 11 
9.2 / 51 

1.0 / O 

6 


40 / 40 
190 / 660 
1.8 / 11 
29 / 121 

1^/9 

L.O / Z 


200 / 200 
920 / 1704 

45 / 81 
650 / 1250 

1^/9 
1.0 / Z 


2000 / 2000 
9000 / 1.0e4 
7.8s / 13.5s 
210 s / 272 s 

1 fi / 9 
l.D / / 


r 


2 


5 


10 


20 


100 


1000 


u x \ 

S x | 
tu 

J- 

ts 
n v 

n 


15 / 72 
270 / 1004 

1.0 / 11 

18 / 71 

3.1 / 18 


17 / 1440 

3800 / 8.3e4 
in / i ki 

i.y / loi 

600 / 15 s 
2.6 / 262 


21 / 60 

l.le4 / 2.9e5 

1 a I on 
l.D / oU 

24s / 672s 
1.5 / 4 

8 


40 / 40 

q 1 / on 
O.l / ZVJ 

1.5 / 2 


200 / 200 

cq / nn 
oo / yu 

1.4 / 2 


2000 / 2000 

K 9 q / 1 9 o 
Q.Z S / LZ S 

1.6 / 2 


r 


2 


5 


10 


20 


100 


1000 


u x \ 

S x | 

tu 
ts 
nu 


43 / 448 
1.3e4 / 7.3e4 

4.9 / 59 
27s / 165s 
6.9 / 64 


14 / 188 
2.5 / 80 
2.7 / 94 


21 / 56 
1.9 / 40 
1.5 / 2 


40 / 40 
4.7 / 11 
1.5 / 2 


200 / 200 
67 / 150 
1.5 / 2 


2000 / 2000 
7.7s / 17s 
1.4 / 2 



All computations were performed on a Linux PC with a 2.4 GHz Pentium 4 
CPU, 533 MHz system bus and 512 MB of RAM using the author's implemen- 
tation in C, which is part of the computational algebra system Magma [13]. 



5. 1 Results 

The main results of the tests can be summarised as follows. 

(1) The average size of S x grows very fast with increasing values of n. S x is 
in general not computable on typical current computers for n > 10 or 
n > 5, r > 15, due to extreme memory requirements. 
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Table 2 

Average / maximal values for \U X \, \S X \, tu, ts and nu (see text); times are given 
in ms, unless stated otherwise. In all cases, computing super summit sets exceeded 
the available memory of 512 MB. 



/ I 


10 


r 


2 


5 


10 


20 


100 


1000 


\u x \ 


Do / 14Uo 


10 / 04 


91 / /in 

Zl / 4U 


/in / 78 

4U / 1 o 


9nn / 9nn 
zuu / zuu 


9nnn / 9nnn 
zuuu / zuuu 


l XJ 


19 / 9Qfl 

iz / zyu 


°. °. / 91 
o.o / Zl 


a 9 / /in 

4.Z / 4U 


r °. / on 
o.o / yu 


i nn / 1 nn 
iuu / iyu 


10 S / OZ s 


71 TT 
ItfJ 


11 / 1 n/i 

11 / 1U4 


9 n / s 
Z.U / o 


1 K 1 A 
1.0 / 4 


1 R / 9 

1.0 / z 


1^/9 

1.0 / z 


1^/9 

1.0 / z 


T) 
/ I 








20 






r 


2 


5 


10 


20 


100 


1000 


\U X \ 


oU / zoU 


19 / 9n 
1Z / zu 


9n / /in 
ZU / 4U 


/in / /in 
4U / 4U 


ZUU / zUU 


9nnn / onnn 
ZUUU / ZUUU 




in / i m 

1U / 101 


^ /I / 1 1 
o.4 / 11 


A 7 1 1 1 
4.1 / 11 


Q 7 / 91 
y. i / zi 


inn / 991 
iuu / ZZl 


1 Q o / /IRc 

iy s / 40 s 


71 TT 
ItfJ 


7 7/ 7n 


1 O / /I 

i.y / 4 


1 e; / /I 
1.0 / 4 


1 £ / 9 

1.0 / Z 


1^/9 

1.0 / z 


1^/9 

1.0 / z 


71 








50 






T 


2 


5 


10 


20 


100 


1000 


Px\ 


7.0 / 64 


10 / 20 


20 / 20 


40 / 40 


200 / 200 


2000 / 2000 


tu 


7.8 / 50 


8.4 / 21 


12 / 21 


18 / 30 


130 / 241 


21s / 48 s 


nu 


2.3 / 16 


1.6 / 4 


1.5 / 2 


1.5 / 2 


1.5 / 2 


1.6 / 2 


n 








100 






r 


2 


5 


10 


20 


100 


1000 


\U X \ 


5.2 / 32 


10 / 10 


20 / 20 


40 / 40 


200 / 200 


2000 / 2000 


tu 


20 / 101 


27 / 50 


36 / 61 


49 / 69 


210 / 370 


23 s / 32 s 


nu 


1.7 / 8 


1.4 / 2 


1.5 / 2 


1.6 / 2 


1.5 / 2 


1.5 / 2 



(2) With the exception of very small values of r (r = 2,5), the average size 
of U x is of the order of 2r, in particular almost independent of n, for the 
case of presentation (1) from Section 1.1. Similar tests for presentation 
(2) yield an average size of the order of nr for not too small values of r. 

There are, however, elements whose ultra summit sets are much larger 
than the average values. With growing values of n and r, these exceptions 
seem to get rarer, so in some sense the situation then becomes easier. 

In the tests, U x remained sufficiently small to be computed easily over 
the entire parameter range. 

(3) The average number of connected components (trajectories) of U x is ap- 
proximately 1.5 for larger values of r. Note that this implies that com- 
puting conjugating elements by Algorithm 3.1 is very efficient. 

Another consequence of this is that even in the case n = 3 where 
U x = S x , computing U x is much faster than computing S x for large values 
of r, since the decomposition of U x into trajectories is used efficiently 
(Theorem 1.21). 

(4) A random element of the form 5 k ■ A\ ■ ■ ■ A r with independent random 
simple elements A 1 ,...,A r is surprisingly likely to be a super summit 
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Table 3 

Average values of len(x) and len s (x) and percentages es and e\j of elements satisfying 
x € S x and x € U x , respectively. (See text.) 





3 


4 


T 


2 


5 


10 


on 

20 


i nn 

100 


1000 


2 


5 


10 


20 


100 


1 AAA 

1000 


len(a;) 


1.0 


1.8 


2.7 


4.7 


19 


170 


1.4 


2.7 


4.5 


7.8 


34 


330 


len s (x) 


0.8 


1.4 


2.1 


3.7 


17 


170 


1.2 


2.1 


3.6 


6.6 


33 


330 


es 


89 


72 


64 


56 


52 


51 


77 


53 


41 


36 


32 


32 


£[/ 


on 
oy 


TO 

/ z 


64 


56 


52 


51 




40 


22 


11 


8.7 


Q n 

o.U 


ft 








6 










10 






T 


2 


5 


10 


20 


1 nn 

100 


1 AAA 

1000 


2 


5 


10 


20 


100 


i nnn 

1000 


len(x) 


1.9 


3.8 


6.7 


12 


58 


570 


2.0 


4.8 


9.0 


17 


85 


840 


len s (x) 


1 .u 


O. J. 


5.6 


11 


^7 


O 1 u 


9 n 


4.3 


8.4 


17 


84 




€q 


77 


42 


33 


32 


32 


31 


96 


63 


55 


51 


54 


53 


eu 


30 


4.0 


1.1 


0.9 


1.0 


1.4 


1.4 


0.3 


0.0 


0.0 


0.1 


0.0 


n 






15 








30, 50, 75, 100 




r 


2 


5 


10 


20 


100 


1000 


2 


5 


10 


20 


100 


1000 


len(x) 


2.0 


5.0 


9.9 


20 


98 


980 


2.0 


5.0 


10 


20 


100 


1000 


len s (x) 


2.0 


4.9 


9.8 


20 


98 


980 


2.0 


5.0 


10 


20 


100 


1000 


es 


100 


94 


89 


87 


88 


87 


100 


100 


100 


100 


100 


100 


£{/ 


0.0 


0.0 


0.0 


0.1 


0.0 


0.0 


0.0 


0.0 


0.0 


0.0 


0.0 


0.0 



element, that is, satisfy x G S x . In the tests for n > 20, the probability 
for this is indistinguishable from 1 and the elements moreover satisfy 
len s (x) = r. 

Random elements as above which are ultra summit elements, on the 
other hand, are very rare for n > 5 and were not encountered at all in 
the tests for n > 20. 

This suggests that, with the exception of braid groups on very few 
strings, the ultra summit set of an element in general is a very small 
subset of the super summit set. 

Remark 5.1 Other methods of constructing random elements may produce 
different distributions on the set of all elements x G B n with len s (x) = r 
and x G S x . However, the most natural (and computationally most efficient) 
way of producing random elements seems to be computing the normal forms 
of longer sequences of independent random simple elements and hence this 
method was used in the tests. 

Note, moreover, that at least for larger values of n, according to our results a 
product a; of a random power of 5 and r independent random simple elements 
is extremely likely to satisfy both x G S x and len(x) = len s (x) = r. In this 
sense, the distribution of random super summit elements with given canonical 
length produced by the method used in our tests is very natural. 
According to tests with other methods of generating random elements, our 
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main results as formulated in Section 5.1 in any case do not seem to depend 
on the details of random element generation. 

6 Conclusions 

We defined a new invariant of conjugacy classes in Garside groups, the ultra 
summit set, using the digraph structure of the well-known super summit set 
induced by the cycling operation and established that it satisfies "convexity" 
properties analogous to the ones holding for super summit sets. Ultra summit 
sets seem to be rather natural objects and may be useful for further theoretical 
analysis of Garside groups. 

Apart from their theoretical significance, our results allow efficient compu- 
tation of ultra summit sets, providing a practical solution to the conjugacy 
decision and search problems in Garside groups. 

Our tests for Artin's presentation of B n show that, in particular for larger braid 
index n, super summit elements are extremely common and super summit sets 
hence are much too large to be of computational use. Ultra summit elements, 
on the other hand, seem to be extremely rare and ultra summit sets can be 
computed easily even for large values of braid index and canonical length. We 
demonstrate that, using ultra summit sets, the conjugacy decision and search 
problems can be solved in very little time on current computers for elements 
of canonical length 1000 in B wo . 

Hence from both a theoretical and a computational point of view, the notion 
of ultra summit sets appears to be a significant advance in the study of the 
conjugacy problems in Garside groups. 
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